New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 112983
Owner: ----
Closed: Apr 2012
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
link

Issue 123881: Security: NULL deref (?) in browser during processing video tags with ftp urls in src

Reported by paw...@gmail.com, Apr 17 2012

Issue description

Version: 18.0.1025.162 m 
Type: browser crash

Open ftp.html, wait for crash.

Seems like just a NULL, but maybe I'm wrong..

(b88.618): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0711cf20 ebx=0a47e000 ecx=00000000 edx=00000002 esi=07ca0dc0 edi=0a47e010
eip=65426709 esp=064aef84 ebp=064aefb8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chrome_641c0000!net::URLRequestFtpJob::StartTransaction+0x1d:
65426709 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????
0:012> k
ChildEBP RetAddr  
064aefb8 654268ee chrome_641c0000!net::URLRequestFtpJob::StartTransaction+0x1d [c:\b\build\slave\chrome-official\build\src\net\url_request\url_request_ftp_job.cc @ 69]
064aefc8 642ed28e chrome_641c0000!net::URLRequestFtpJob::Start+0x29 [c:\b\build\slave\chrome-official\build\src\net\url_request\url_request_ftp_job.cc @ 166]
064aefe0 642eb154 chrome_641c0000!net::URLRequest::StartJob+0xc5 [c:\b\build\slave\chrome-official\build\src\net\url_request\url_request.cc @ 478]
064aeff8 645bbd29 chrome_641c0000!net::URLRequest::Start+0x75 [c:\b\build\slave\chrome-official\build\src\net\url_request\url_request.cc @ 423]
064af050 645bbace chrome_641c0000!ResourceQueue::AddRequest+0xa3 [c:\b\build\slave\chrome-official\build\src\content\browser\renderer_host\resource_queue.cc @ 69]
064af078 645b76e1 chrome_641c0000!ResourceDispatcherHost::InsertIntoResourceQueue+0x18 [c:\b\build\slave\chrome-official\build\src\content\browser\renderer_host\resource_dispatcher_host.cc @ 1670]
064af0a8 645b3469 chrome_641c0000!ResourceDispatcherHost::BeginRequestInternal+0x1a5 [c:\b\build\slave\chrome-official\build\src\content\browser\renderer_host\resource_dispatcher_host.cc @ 1661]
064af298 645b2ca6 chrome_641c0000!ResourceDispatcherHost::BeginRequest+0x76d [c:\b\build\slave\chrome-official\build\src\content\browser\renderer_host\resource_dispatcher_host.cc @ 698]
064af2b0 645b2117 chrome_641c0000!ResourceDispatcherHost::OnRequestResource+0x19 [c:\b\build\slave\chrome-official\build\src\content\browser\renderer_host\resource_dispatcher_host.cc @ 463]
064af494 642e35f7 chrome_641c0000!ResourceHostMsg_RequestResource::Dispatch<ResourceDispatcherHost,ResourceDispatcherHost,int,ResourceHostMsg_Request const &>+0x4f [c:\b\build\slave\chrome-official\build\src\content\common\resource_messages.h @ 179]
064af570 642e34dc chrome_641c0000!ResourceDispatcherHost::OnMessageReceived+0x10a [c:\b\build\slave\chrome-official\build\src\content\browser\renderer_host\resource_dispatcher_host.cc @ 431]
064af584 642e1957 chrome_641c0000!ResourceMessageFilter::OnMessageReceived+0x16 [c:\b\build\slave\chrome-official\build\src\content\browser\renderer_host\resource_message_filter.cc @ 41]
064af5a4 642e171f chrome_641c0000!content::BrowserMessageFilter::DispatchMessageW+0x1f [c:\b\build\slave\chrome-official\build\src\content\public\browser\browser_message_filter.cc @ 93]
064af5d4 641f584d chrome_641c0000!content::BrowserMessageFilter::OnMessageReceived+0x2e [c:\b\build\slave\chrome-official\build\src\content\public\browser\browser_message_filter.cc @ 76]
064af5e8 642e12f7 chrome_641c0000!IPC::ChannelProxy::Context::TryFilters+0x29 [c:\b\build\slave\chrome-official\build\src\ipc\ipc_channel_proxy.cc @ 90]
064af5f8 641f52dc chrome_641c0000!IPC::ChannelProxy::Context::OnMessageReceived+0xe [c:\b\build\slave\chrome-official\build\src\ipc\ipc_channel_proxy.cc @ 104]
064af6c4 641f5014 chrome_641c0000!IPC::Channel::ChannelImpl::ProcessIncomingMessages+0xff [c:\b\build\slave\chrome-official\build\src\ipc\ipc_channel_win.cc @ 331]
064af6e4 641f2e20 chrome_641c0000!IPC::Channel::ChannelImpl::OnIOCompleted+0x5a [c:\b\build\slave\chrome-official\build\src\ipc\ipc_channel_win.cc @ 421]
064af718 641f2cf5 chrome_641c0000!base::MessagePumpForIO::WaitForIOCompletion+0x10e [c:\b\build\slave\chrome-official\build\src\base\message_pump_win.cc @ 515]
064af734 641f2868 chrome_641c0000!base::MessagePumpForIO::DoRunLoop+0x82 [c:\b\build\slave\chrome-official\build\src\base\message_pump_win.cc @ 477]
064af754 641f091a chrome_641c0000!base::MessagePumpWin::Run+0x3e [c:\b\build\slave\chrome-official\build\src\base\message_pump_win.h @ 64]
064af760 641f08c7 chrome_641c0000!MessageLoop::RunHandler+0x43 [c:\b\build\slave\chrome-official\build\src\base\message_loop.cc @ 390]
064af77c 641f2372 chrome_641c0000!MessageLoop::Run+0x3d [c:\b\build\slave\chrome-official\build\src\base\message_loop.cc @ 301]
064af784 641f2333 chrome_641c0000!base::Thread::Run+0xb [c:\b\build\slave\chrome-official\build\src\base\threading\thread.cc @ 127]
064af8e0 641f2297 chrome_641c0000!base::Thread::ThreadMain+0x95 [c:\b\build\slave\chrome-official\build\src\base\threading\thread.cc @ 164]
064af8ec 7685339a chrome_641c0000!base::`anonymous namespace'::ThreadFunc+0x1b [c:\b\build\slave\chrome-official\build\src\base\threading\platform_thread_win.cc @ 59]
064af8f8 77dd9ef2 kernel32!BaseThreadInitThunk+0xe
064af938 77dd9ec5 ntdll!__RtlUserThreadStart+0x70
064af950 00000000 ntdll!_RtlUserThreadStart+0x1b
 
ftp.html
88 bytes View Download

Comment 1 by scarybea...@gmail.com, Apr 17 2012

Mergedinto: 112983
Status: Duplicate
Thanks for the report. Looks like a known issue, which should be fixed in Chrome 19 (currently in beta).

Comment 2 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
Mergedinto: chromium:112983
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 3 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security Type-Bug-Security

Comment 4 by bugdroid1@chromium.org, Mar 11 2013

Project Member
Labels: -Area-Undefined

Comment 5 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 6 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.

Comment 7 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-EditIssue
Bulk update: removing view restriction from closed bugs.

Comment 8 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment